Although massive hacks of crypto exchanges are rare in the modern Web 3.0 industry, users should be aware of all risks associated with crypto trading. In 2022, there were 2 big hacks of crypto exchanges. The Liechtenstein-based crypto exchange LCX lost $6.8M as a result of the compromise of one of its hot wallets. The same month, the other famous crypto exchange Crypto.com admitted a $35M hack that affected 483 of its users. Hackers managed to carry out non-authorized withdrawals. Following the hack, Crypto.com announced taking a series of security measures to prevent similar incidents in the future. However, in the past, there were security incidents as a result of which some crypto exchanges lost even >$100M. So, the assets stored on crypto exchanges are not obligatorily fully secured.
In the modern Web 3.0 world, users’ security is first of all their own responsibility. In this article, we will provide general guidance for users on how to conduct a basic security check of a crypto exchange to make sure that their money does not appear in the hands of bad actors.
Use reliable data platforms
The majority of crypto traders are not technicians or security professionals. As a result, they do not have enough knowledge and skills to conduct a comprehensive security check of a crypto exchange. Also, the security assessment of a crypto exchange takes time and crypto traders do not will to spend their free time at the weekend or after a workday analyzing crypto exchanges. In this case, traders can use reputable data platforms such as CoinGecko and CER.live to look at whether their chosen exchange(s) is a secure choice.
CoinGecko gives each exchange a trust score that includes such components as liquidity, scale, API coverage, team, incident, and cybersecurity. The weight of the cybersecurity component in the final score is 20%. Cybersecurity data are provided to CoinGecko by CER.live, the cybersecurity ranking and certification platform. Also, there is the component called “incident” that shows whether an exchange has been involved in any security/functional issues affecting users. If an exchange gets maximum points for “cybersecurity” and “incidents” components, then it can be treated as a safe resource for users.
CoinGecko’s trust score provides the overall estimation of an exchange. To get a more detailed security estimation, traders should look at the security rating given to crypto exchanges by CER.live. The most secure exchanges are the ones with the AAA rating. Generally, the crypto exchanges with 3 basic security indicators (penetration test, proof of funds, and bug bounty), are the most secure choice for traders.
Traders may combine the security rating of crypto exchanges found at CER.live and the trust score given to crypto exchanges by CoinGecko for higher accuracy of findings.
Basic Security Indicators Assessed by CER.live
A form of security testing whereby professional security engineers imitate real-world cyberattacks to identify weaknesses in the systems under test. Although the testing does not cause any real damage to the client, security engineers use the same tools and information as the ones that malicious actors would try to utilize during a real attack. The penetration testing results are valid for 1 year.
Proof of Funds
The crypto exchanges with >$1M in ETH and BTC balance on hot and cold wallets get a tick for this indicator.
Security check of a crypto exchange performed by the community of white hat hackers who are rewarded for finding bugs in its systems. There is a direct relationship between the severity of vulnerabilities detected by ethical hackers and the remuneration they get. There are two types of bug bounty programs: third-party managed and self-hosted. The highest point for this indicator is given to third-party managed programs and self-hosted programs that have been verified by an independent auditor. If a self-hosted program has not been verified by an auditor, the exchange gets only 5/10 for this indicator.
CER.live specialists also check whether a crypto exchange meets the ISO27001 standard. It is the basic standard governing the key principles of information assets security. This standard does not have an obligatory nature but when an exchange meets it, it is a strong confirmation of its focus on users’ security. Also, the CER.live security score given to crypto exchanges integrates the indicator called “funds insurance”. If the exchange has insurance and gets hacked, then it can get from the insurer at least partial compensation for the damage incurred.
Generally, there are >20 crypto exchange security indicators evaluated by the CER.live specialists. CER.live methodology is public and here you can find the full list of indicators and their weight in the final security score given to crypto exchanges.
Overall, users need to realize that the security of all their virtual assets used for trading depends on whether the crypto exchange they use follows security best practices. The answer to this question can be found on data platforms such as CER.live and CoinGecko. User-centered crypto exchanges do not neglect meeting the highest security standards.